Padding application method ensuring security of cryptosystem and encryptor/decryptor

ABSTRACT

An encryptor/decryptor capable of achieving secure cryptographic communication by applying appropriate padding to a cryptosystem such as NTRU cryptosystems.  
     When an n-bit plaintext M is received, the OAEP+padding is applied thereto. According to a conversion rule or a conversion function A that satisfies the conditions as described below, two bit strings m and r are obtained from the result of the OAEP+padding. The conversion function A is a map to map a bit string consisting of k bits or less to the element of L m ×L r , where L m  is the scope of m and L r  is the scope of r. The conversion function A should satisfy the following conditions: A is injective; A and the inverse map thereof can be computed by a polynomial time; and if an encryption function is denoted by E(m, r), a map E: A(X)→L e  is a one-way function, where X is the scope of (m, r) and L e  is the space of the entire ciphertext. After a bit string is divided into the two bit strings m and r, e=E r (m) is computed to be encrypted. Thus, a ciphertext e is transmitted to a receiver.

TECHNICAL FIELD

The present invention relates to an encryption/decryption system, andmore particularly, to a padding application method and anencryptor/decryptor for ensuring the security against chosen ciphertextattacks.

BACKGROUND ART

The social application of cryptographic technology has been vigorouslypromoted to ensure the security of communication, and effectivecryptographic computation is required more than ever. In such trend, theNTRU cryptosystem proposed in “NTRU: A Ring-Based Public KeyCryptosystem” (Non Patent Document 1) written by Jeffery Hoffstein, JillPipher and Joseph H. Silverman attracts attention as a high-speedencryption/decryption computation system with lower memory requirementas compared to the conventional RSA or ElGamal cryptosystem.

(NTRU Cryptosystem)

The NTRU cryptosystem is a public key cryptosystem as follows.

First, a key is created in the following manner. Three integers p, q andN are used as public and domain parameters. Besides, the ringR=Z[X]/(X^(N)−1) is used. Hereinafter, L(a, b) indicates the total set(a subset of R) of an element u∈ R having a coefficients equal to 1, bcoefficients equal to −1 and the rest 0 for each degree thereof.Parameters df, dg and d are chosen to set L_(f)=L(df, df+1), L_(g)=L(dg,dg+1), and L_(φ)=L(d, d). Two polynomials f∈L_(f) and g∈L_(g) arerandomly selected such that h=f¹ g mod q. Then, the private or secretkey is the polynomial f, g, while the public key is the polynomial h.

When the keys have been created, an element m of the subset L_(m) of R,m∈L_(m), is encrypted. A polynomial r∈L_(r) is randomly selected tocompute e=phr+m mod q. Thus, e is output as a ciphertext.

In order to decrypt the ciphertext e to the original plaintext orcleartext m, fe=pgr+fm mod q is computed. Since f, g, r, and m areelements of the subsets L_(f), L_(g), L_(r), and L_(m), respectively,fe=pgr+fm. Accordingly, fe(mod p)=m(mod p) can be computed. Also, sincethe m is an element of the subset L_(m), m=m (mod p), and therefore, mcan be retrieved.

However, as pointed out in “Lattice Attacks on NTRU”, Eurocrypt '97Springer Lecture Notes in Computer Science, 1997 (Non Patent Document 2)written by Don Coppersmith and Adi Shamir, there are known a varioussorts of attacks against the NTRU cryptosystem. As such, some schemeshave been proposed to prevent the attacks, in which some kind of paddingis applied to a plaintext before NTRU encryption.

(OAEP+Padding System)

As a padding scheme to secure cryptosystems, for example, the one calledOAEP+is known. The OAEP+padding was proposed in “OAEP Reconsidered”,Journal of Cryptology 15 (4) (Non Patent Document 3) written by VictorShoup. The OAEP+padding is a padding scheme as follows.

First, integers k, k₀, and k₁ are selected as parameters so as tosatisfy k₀, +k₁≦k≦L, where L is the number of elements in the plaintextspace.

Then, n=k−k₀−k₁ is set.

Let G denote a hash function to map a k-bit string to an n-bit string.

Let H′ be a hash function to map an n+k₀-bit string to a k₁-bit string.

Let H be a hash function to map an n+k₁-bit string to a k₀-bit string.

Upon receipt of an n-bit plaintext M, a padder randomly selects a k₀-bitstring R. Subsequently, the padder computes the exclusive OR s⁰ of G(R)and each bit of M as well as s¹=H′(R∥M) such that s=s⁰∥s¹. Incidentally,the symbol “∥” is used to denote concatenation of bit strings. If tdenotes the exclusive OR of H(s) and each bit of R, then w=s∥t. This wis called “OAEP+padding using the random number R of the plaintext M”.The OAEP+padding w thus obtained is encrypted (by a cryptosystem notusing random numbers), and a ciphertext e is transmitted to a receiver.

The receiver decrypts the ciphertext e to obtain w. After decrypting w,a depadder recovers the plaintext M in the following manner. First,through the use of w=s∥t=s₀∥s₁∥t, the depadder recovers s₀, s₁ and t.Then, the depadder computes the exclusive OR of H(s) and each bit of tto recover R. Also, the depadder computes the exclusive OR of G(R) andeach bit of s₀ to recover M. If s₁=H′(R∥M) is satisfied, the depadderoutputs M. Otherwise, the depadder rejects the ciphertext e as invalidand outputs ⊥.

The OAEP+padding, however, is a padding scheme proposed to be applied tocryptosystems not using random numbers the computation of an encryptionfunction. Consequently, if the OAEP+padding is applied to a cryptosystemusing random numbers such as NTRU, security is not always ensured. Inaddition, when the OAEP+padding is applied to a cryptosystem usingrandom numbers such as NTRU, not a unique but various applicationmethods may by utilized. Therefore, there is also a problem in that itis not possible to immediately distinguish between secure and insecurepadding application methods.

As just described, the OAEP+padding ensures the security only forcryptosystems not using random numbers. Besides, there have been someOAEP+or OAEP+like padding schemes introduced for use with the NTRUcryptosystem using random numbers to ensure the security. Reference maybe had to, for example, the following documents:

-   Joseph H. Silverman, “Plaintext Awareness and the NTRU PKCS”,    Technical Report #7 version 2, NTRU Cryptosystems, 1998 (Non Patent    Document 4)-   Jeffery Hoffstein and Joseph H. Silverman, “Optimizations for NTRU”,    Public-key Cryptography and Computational Number Theory (Non Patent    Document 5)-   Jeffery Hoffstein and Joseph H. Silverman, “Protecting NTRU Against    Chosen Ciphertext and Reaction Attacks”, Technical Report #16    version 1, NTRU Cryptosystems, 2000 (Non Patent Document 6)-   Phong Q. Nguyen and David Pointcheval, “Analysis and Improvements of    NTRU Encryption Paddings”, Crypto 2002 Springer Lecture Notes in    Computer Science, 2002 (Non Patent Document 7)

With all of these padding schemes, attacks against the NTRU cryptosystemhas succeeded. The padded version of the NTRU cryptosystem described inNon Patent Document 4 is broken by the algorithm proposed in “AChosen-Ciphertext Attack against NTRU”, Crypto 2000 Springer LectureNotes in Computer Science, 2000 (Non Patent Document 8) written byEliane Jaulmes and Antoine Joux.

Further, the padded version of the NTRU cryptosystem described in NonPatent Documents 5 and 6 is broken by the algorithm proposed in NonPatent Document 7. The padding scheme proposed in Non Patent Document 7does not protect against attacks presented in “Imperfect Decryption andan Attack on the NTRU Encryption Scheme” (Non Patent Document 9) writtenby John A. Proos.

There have been proposed padding schemes other than the OAEP+paddingscheme aimed at ensuring the security of cryptosystems using randomnumbers such as NTRU. However, each padding scheme has a differentdisadvantage, and the OAEP+padding is still significant to ensure thesecurity of cryptosystems.

-   Non Patent Document 1: Jeffery Hoffstein, Jill Pipher and Joseph H.    Silverman, “NTRU: A Ring-Based Public Key Cryptosystem”-   Non Patent Document 2: “Lattice Attacks on NTRU”, Eurocrypt '97    Springer Lecture Notes in Computer Sciences, 1997-   Non Patent Document 3: “OAEP Reconsidered”, Journal of Cryptology 15    (4)-   Non Patent Document 4: “Plaintext Awareness and the NTRU PKCS”,    Technical Report #7 version 2, NTRU Cryptosystems, 1998-   Non Patent Document 5: Jeffery Hoffstein and Joseph H. Silverman,    “Optimizations for NTRU”, Public-key Cryptography and Computational    Number Theory-   Non Patent Document 6: Protecting NTRU Against Chosen Ciphertext and    Reaction Attacks”, Technical Report #16 version 1, NTRU    Cryptosystems, 2000-   Non Patent Document 7: “Analysis and Improvements of NTRU Encryption    Paddings”, Crypto 2002 Springer Lecture Notes in Computer Sciences,    2002-   Non Patent Document 8: “A Chosen-Ciphertext Attack against NTRU”,    Crypto 2000 Springer Lecture Notes in Computer Sciences, 2000-   Non Patent Document 9: John A. Proos, “Imperfect Decryption and an    Attack on the NTRU Encryption Scheme”

DISCLOSURE OF THE INVENTION Problems that the Invention is to Solve

As is described above, with the conventional padded version of NTRUcryptosystems, secure cryptographic communication cannot be performed.

It is therefore an object of the present invention to provide a paddingapplication method and an encryptor/decryptor for achieving securecryptographic communication by applying appropriate padding to acryptosystem such as NTRU.

MEANS OF SOLVING THE PROBLEMS

The present inventor noted that random numbers used for encryption canbe retrieved in NTRU cryptosystems, and invented a new paddingapplication method capable of ensuring the security of cryptographiccommunication.

(Reason for the Realization)

The reason for the realization of the present invention will beschematically described below. As typical cryptosystems using randomnumbers, the ElGamal and Paillier cryptosystems are known. In thesecryptosystems, a receiver of a ciphertext can recover the originalplaintext, but cannot recover the random number. As such, the plaintextand random number need to be handled as completely different data.

Additionally, in many cryptosystems such as ElGamal and Paillier, theencryption function is a stochastic function, and the domain of theencryption function corresponds to the space of the entire plaintext M,while the range thereof corresponds to the space of the entireciphertext. Meanwhile, the decryption function is a nonstochasticfunction, and the domain of the decryption function corresponds to thespace of the entire ciphertext, while the range thereof corresponds tothe space of the entire plaintext. Again, in these cryptosystems, arandom number used for encryption cannot be recovered.

On the other hand, the NTRU cryptosystem is characterized in that arandom number r can be obtained by r=(fe−fm)/pg after the recovery of aplaintext m. Consequently, in the NTRU cryptosystem, the plaintext isnot necessarily distinguished from the random number differently fromsuch cryptosystems as ElGamal and Paillier.

Accordingly, in the NTRU cryptosystem, it can be considered that:

the encryption function is a function not based on a random number, andthe domain of the encryption function corresponds to the space of theentire concatenation of a plaintext M with a random number R, while therange thereof corresponds to the space of the entire ciphertext; andthat

the decryption function is also a function not based on a random number,and the domain of the decryption function corresponds to the space ofthe entire ciphertext, while the range thereof corresponds to the spaceof the entire concatenation of the plaintext M with the random number R.

As has already been described, the OAEP+padding ensures the security ifan encryption function is not based on a random number. Therefore, theOAEP+padding with security assurance is applicable to the data structureof the NTRU cryptosystem in which a plaintext is not distinguished froma random number.

SUMMARY OF THE INVENTION

Based on these understandings, the present invention was made. That is,in accordance with the present invention, there is provided a paddingapplication method to be applied to a cryptosystem E^(r)(m) that allowsa ciphertext receiver to recover the value of a random number used by aciphertext creator to create a ciphertext. With the application of thepresent invention to such a cryptosystem, security is ensured.

In accordance with an aspect of the present invention, there is provideda padding application method for applying a padding scheme that ensuresthe security of cryptosystems not using random numbers to cryptosystemsin which the value of a random number used to create a ciphertext can berecovered at the receiving end. The padding application method comprisesthe steps of converting input information into a bit string with aprescribed length or less according to the padding scheme, convertingthe bit string into a first bit string and a second bit string based ona prescribed conversion rule, and supplying an encryption function withthe first bit string as data input and the second bit string as randomnumber input. The prescribed conversion rule is a map to map the bitstring having a prescribed length or less to the element of the directproduct of the set of the first bit strings and the set of the secondbit strings, and satisfies the following conditions: the map isinjective; the map and inverse map thereof can be computed by apolynomial time; and the encryption function whose domain is the directproduct is a one-way function.

In accordance with another aspect of the present invention, theconversion rule is a rule to divide the bit string into two parts insuch a manner as to set the first half of the bit string as the firstbit string and the second half of the bit string as the second bitstring.

In accordance with yet another aspect of the present invention, theOAEP+padding is employed as the padding scheme, and the NTRUcryptosystem is employed as the cryptosystem using random numbers.

FIG. 1 (A) is a conceptual block diagram showing an encryptor adopting apadding application method according to the present invention. FIG. 1(B) is a conceptual block diagram showing a conventional encryptoradopting an OAEP-based padding scheme. In FIGS. 1 (A) and 1 (B), themost common parameters are employed; n=k₀=k₁, and r is the bit number ofm.

Referring to FIG. 1 (A), the padding application method of the presentinvention will be described. First, parameters are selected in the samemanner as in the OAEP+padding. More specifically, integers k, k₀, and k₁are selected as parameters so as to satisfy k₀, +k₁<k<L, where L is thenumber of elements in the plaintext space. Then, n=k−k₀−k₁ is set. Also,let G denote a hash function to map a k-bit string to an n-bit string,let H′ be a hash function to map an n+k₀-bit string to a k₁-bit string,and let H be a hash function to map an n+k₁-bit string to a k₀-bitstring.

When an n-bit plaintext M is received, the OAEP+padding is appliedthereto. That is, a k₀-bit string R is randomly selected. Subsequently,the exclusive OR s⁰ of G(R) and each bit of M as well as s¹=H′(R∥M) arecomputed such that s=s⁰∥s¹. Incidentally, the symbol “∥” is used todenote concatenation of bit strings. If t denotes the exclusive OR ofH(s) and each bit of R, then w=s∥t.

Next, according to a rule A (hereinafter referred to as a conversionfunction A) that satisfies the conditions as will be presentlydescribed, two bit strings m and r are generated from w. The conversionfunction A is a map to map a bit string consisting of k bits or less tothe element of L_(m)×L_(r), where L_(m) is the scope of m and L_(r) isthe scope of r. The conversion function A should satisfy the followingconditions:

(1) A is infective;

(2) A and the inverse map thereof can be computed by a polynomial time;and

(3) if an encryption function is denoted by E(m, r), a map E: A(X)→L_(e)is a one-way function (where X is the scope of (m, r) and L_(e) is thespace of the entire ciphertext).

In the case of the NTRU cryptosystem, for example, a bit string w isdivided into a first half bit string and a second half bit string, andthey are set as m and r, respectively. When the bit string w has beenconverted into two bit strings, e=E^(r)(m) is computed to be encrypted.Thus, a ciphertext e is transmitted to a receiver.

Having received the ciphertext e, the receiver decrypts it to obtain m.As is described above, according to a characteristic of E^(r)(m), r canbe recovered. Hence, r is recovered. Subsequently, w is recovered basedon w=m∥r. After the recovery of w, the plaintext M is recovered in thesame manner as in the OAEP+padding. More specifically, through the useof w=s∥t=s₀∥s₁∥t, s₀, s₁ and t are recovered. Then, the exclusive OR ofH(s) and each bit of t is computed to recover R. Also, the exclusive ORof G(R) and each bit of s₀ is computed to recover M. If s₁=H′(R∥M) issatisfied, M is output. Otherwise, the ciphertext e is rejected asinvalid and ⊥ is output.

EFFECT OF THE INVENTION

In the following, on the basis of comparison between the presentinvention and the conventional techniques, the effect of the presentinvention will be described. As can be seen in FIG. 1 (B) showing anexample of a conventional encryptor, in the aforementioned techniquesproposed in Non Patent Documents 4 to 7, only m is obtained from aplaintext M according to the OAEP+(or another) padding, and r isobtained in some way or other. Such padding schemes can be applied tocryptosystems such as ElGamal and Paillier in which a plaintext only butno random number can be recovered at the receiving end. However, thesepadding schemes are ad hoc, and cannot ensure the security. Especially,in the case of NTRU, perfect decryption is possible.

On the other hand, in accordance with the present invention, a paddingscheme is applied to cryptosystems such as NTRU in which the receiver ofa ciphertext can recover a random number as well as a plaintext.Differently from the conventional techniques, both m and r are obtainedfrom a plaintext M according to the OAEP+padding and a prescribedconversion rule (function A). In addition, differently from theconventional techniques, when applied to cryptosystems such as NTRU inwhich the receiver of a ciphertext can recover a random number as wellas a plaintext, the padding scheme can ensure the security.

In other words, in accordance with the present invention, securecryptographic communication can be performed making use of the NTRUcryptosystem: the high-speed encryption/decryption computation systemwith lower memory requirement.

BEST MODE FOR CARRYING OUT THE INVENTION

FIG. 2 is a block diagram showing an example of a cryptographiccommunication system including an encryptor/decryptor according to thepresent invention. In FIG. 2, cryptographic communication is performedbetween communication terminals via a network.

A sending communication terminal comprises a program control processor10, a random number generator 11, a program memory 12, a memory 13 and atransmitter/receiver 14. As will be described later, the sendingcommunication terminal executes programs stored in the program memory12, necessary for such operations as OAEP+conversion or transformation,conversion based on a conversion function A and NTRU encryption, toencrypt a plaintext or cleartext. Thereby, the sending communicationterminal transmits the ciphertext from the transmitter/receiver 14 to adestination communication terminal via a network. Incidentally, thememory 13 stores information necessary for encryption such as publicinformation and a private or secret key.

Similarly, a receiving communication terminal comprises a programcontrol processor 20, a random number generator 21, a program memory 22,a memory 23 and a transmitter/receiver 24. As will be described later,the receiving communication terminal executes programs stored in theprogram memory 22, necessary for such operations as NTRU decryption,random number recovery, inversion or inverse transformation andOAEP+inversion or inverse OAEP+transformation, to decrypt a ciphertextreceived through the transmitter/receiver 24. Thereby, the receivingcommunication terminal retrieves the plaintext. Incidentally, the memory23 stores information necessary for decryption such as publicinformation and a private key.

1. First Embodiment

FIG. 3 is a functional block diagram showing the construction of anencryptor/decryptor according to the first embodiment of the presentinvention. The encryptor/decryptor of this embodiment comprises anencryptor 100 for encrypting a plaintext, a decryptor 200 for decryptinga ciphertext to a plaintext, a key generator 300, a public informationstorage 301 for storing public information necessary forencryption/decryption generated by the key generator 300, and a privatekey storage 302 for storing private key information necessary fordecryption.

A plaintext is fed to the encryptor 100 through a plaintext input unit101. The encryptor 100 includes an OAEP+converter 102, a conversionfunction A-based converter 103 and an NTRU encryption section 104. Aciphertext created by the encryptor 100 is output to, for example, areceiving terminal through a ciphertext output unit 105.

A ciphertext is fed to the decryptor 200 through a ciphertext input unit201. The decryptor 200 includes an NTRU decryption section 202, a randomnumber recovery section 203, a conversion function A-based inverter 204and an OAEP+inverter 205. A plaintext retrieved by the decryptor 200 isoutput through a plaintext output unit 206.

1.1) Key Creation

First, the key creation process will be described.

FIG. 4 is a flowchart showing the key creation process according to thefirst embodiment. The key generator 300 selects integers p, q and Nwhich are used as public and domain parameters. As in the NTRUcryptosystem described above, the ring R=Z[X]/(X^(N)−1) is used. L(a, b)indicates the total set (a subset of R) of an element u∈R having acoefficients equal to 1, b coefficients equal to −1 and the rest 0 foreach degree thereof. Additionally, the subsets of R are denoted byL_(f), L_(g), L_(r), and L_(m) (step S11).

After that, as previously described for the OAEP+padding scheme, the keygenerator 300 selects integers k, k₀, and k₁ as parameters such thatthey satisfy k₀, +k₁≦k≦L, where L is the number of elements inL_(m)×L_(r). Then, n=k−k₀−k₁ is set.

Let G denote a hash function to map a k-bit string to an n-bit string.

Let H′ be a hash function to map an n+k₀-bit string to a k₁-bit string.

Let H be a hash function to map an n+k₁-bit string to a k₀-bit string(step S12).

In addition, the key generator 300 determines a conversion function A(step S13). The conversion function A is a map to map a bit stringconsisting of k bits or less to the element of L_(m)×L_(r). Theconversion function A should satisfy the following conditions:

(1) A is injective;

(2) A and the inverse map thereof can be computed by a polynomial time;and

(3) if an encryption function is denoted by E(m, r), a map E: A(X)→L_(e)is a one-way function (where X is the scope of (m, r) and L_(e) is thespace of the entire ciphertext).

The key generator 300 creates a key in the same manner as in NTRU. Morespecifically, two polynomials f∈L_(f) and g∈L_(g) are randomly selectedsuch that h=f¹ g mod q. Then, the private key is the polynomial f, g,while the public key is the polynomial h (step S14). The key generator300 secretly stores the private key f, g in the private key storage 302(step S15), and also stores the NTRU public key, the hash functions andthe conversion function (p, q, N, L_(f), L_(g), L_(r), L_(m), k, k₀, k₁,G, H′, H, A, h) in the public information storage 301 to open them topublic (step S16).

1.2) Encryption

Next, the encryption process will be described.

FIG. 5 is a flowchart showing the encryption process according to thefirst embodiment. Referring to FIG. 5, the encryptor 100 receives ann-bit plaintext M through the plaintext input unit 101 (step S21). Then,the encryptor 100 receives public information p, q, N, L_(f), L_(g),L_(r), L_(m), k, k₀, k₁, G, H′, H, A, and h from the public informationstorage 301 (step S22).

Subsequently, the encryptor 100 randomly selects a k₀-bit string R (stepS23). The OAEP+converter 102 computes the exclusive OR s⁰ of G(R) andeach bit of M as well as s¹=H′(R∥M) such that s=s⁰∥s¹. Further, t is setas the exclusive OR of H(s) and each bit of R to have w=s∥t. Thereby,the OAEP+converter 102 applies the OAEP+padding to the plaintext (stepS24).

According to (m, r)=A(w), the converter 103 converts a bit string w intotwo bit strings m and r using the conversion function A (step S25).Here, w is equally divided into a first half bit string m and a secondhalf bit string r. After that, the NTRU encryption section 104 computese=phr+m mod q to perform NTRU encryption (step S26). Thus, the NTRUencryption section 104 creates a ciphertext and outputs it through theciphertext output unit 105 (step S27).

1.3) Decryption

Lastly, the decryption process will be described.

FIG. 6 is a flowchart showing the decryption process according to thefirst embodiment. Referring to FIG. 6, the decryptor 200 receives aciphertext e through the ciphertext input unit 201 (step S31). Then, thedecryptor 200 receives a private key corresponding to the ciphertextfrom the private key storage 302, and also receives public informationcorresponding to the private key from the public information storage 301(step S32).

The NTRU decryption section 202 decrypts the ciphertext e using theprivate key and the public information in the same manner as in NTRU.More specifically, the NTRU decryption section 202 computes fe=pgr+fmmod q. Since f, g, r, and m are elements of the subsets L_(f), L_(g),L_(r), and L_(m), respectively, fe=pgr+fm. Accordingly, the NTRUdecryption section 202 can computes fe(mod p)=m(mod p). Also, since them is an element of the subset Lm, m=m(mod p), and therefore, the NTRUdecryption section 202 can retrieve m (step S33).

In addition, based on fe=pgr+fm, the random number recovery section 203computes r=(fe−fm)/pg to recover a random number r (step S34).

Based on A⁻¹(m, r), the inverter 204 recovers w=s∥t=s₀∥s₁∥t using theinverse of the conversion function A (step S35). Subsequently, theOAEP+inverter 205 computes the exclusive OR of H(s) and each bit of t torecover R. Also, the OAEP+inverter 205 computes the exclusive OR of G(R)and each bit of s₀ to recover M (step S36).

Thereafter, the OAEP+inverter 205 verifies the validity of the paddingaccording to whether s₁=H′(R∥M) is satisfied or not (step S37). If thepadding is valid, the OAEP+inverter 205 outputs the plaintext M (stepS38). Otherwise, the OAEP+inverter 205 rejects the ciphertext e asinvalid and outputs ⊥ (step S39).

2. Second Embodiment

FIG. 7 is a functional block diagram showing the construction of anencryptor/decryptor according to the second embodiment of the presentinvention. The encryptor/decryptor of this embodiment comprises anencryptor 400 for encrypting a plaintext, a decryptor 500 for decryptinga ciphertext to a plaintext, a key generator 300, a public informationstorage 301 for storing public information necessary forencryption/decryption generated by the key generator 300, and a privatekey storage 302 for storing private key information necessary fordecryption.

A plaintext is fed to the encryptor 400 through a plaintext input unit101. The encryptor 400 includes a random number generator 401, a privatekey encryption section 402, an OAEP+converter 403, a conversion functionA-based converter 404 and an NTRU encryption section 405. A ciphertextcreated by the encryptor 400 is output to, for example, a receivingterminal through a ciphertext output unit 105.

A ciphertext is fed to the decryptor 500 through a ciphertext input unit201. The decryptor 500 includes an NTRU decryption section 501, a randomnumber recovery section 502, a conversion function A-based inverter 503,an OAEP+inverter 504 and a private key decryption section 505. Aplaintext retrieved by the decryptor 500 is output through a plaintextoutput section 206.

2.1) Key Creation

First, the key creation process will be described.

FIG. 8 is a flowchart showing the key creation process according to thesecond embodiment. The key generator 300 selects integers p, q and Nwhich are used as public and domain parameters. As in the NTRUcryptosystem described above, the ring R=Z[X]/(X^(N)−1) is used. L(a, b)indicates the total set (a subset of R) of an element u∈R having acoefficients equal to 1, b coefficients equal to −1 and the rest 0 foreach degree thereof. Additionally, the subsets of R are denoted byL_(f), L_(g), L_(r), and L_(m) (step S41).

After that, as previously described for the OAEP+padding scheme, the keygenerator 300 selects integers k, k₀, and k₁ as parameters such thatthey satisfy k₀, +k₁≦k≦L where L is the number of elements inL_(m)×L_(r). Then, n=k−k₀−k₁, is set.

Let G denote a hash function to map a k-bit string to an n-bit string.

Let H′ be a hash function to map an n+k₀-bit string to a k₁-bit string.

Let H be a hash function to map an n+k₁-bit string to a k₀-bit string(step S42).

In addition, the key generator 300 determines a conversion function A(step S43). As previously described, the conversion function A is a mapto map a bit string consisting of k bits or less to the element ofL_(m)×L_(r). The conversion function A should satisfy the followingconditions:

(1) A is injective;

(2) A and the inverse map thereof can be computed by a polynomial time;and

(3) if an encryption function is denoted by E(m, r), a map E: A(X)→L_(e)is a one-way function (where X is the scope of (m, r) and L_(e) is thespace of the entire ciphertext).

The key generator 300 creates a key in the same manner as in NTRU. Morespecifically, two polynomials f∈L_(f) and g∈L_(g) are randomly selectedsuch that h=f¹ g mod q. Then, the private key is the polynomial f, g,while the public key is the polynomial h. The key generator 300 secretlystores the private key f, g in the private key storage 302 (step S44).

Further, the key generator 300 determines a common or shared keycryptosystem E to be used (step S45), and stores the NTRU public key,the hash functions and the conversion function (p, q, N, L_(f), L_(g),L_(r), L_(m), k, k₀, k₁, G, H′, H, A, h) in the public informationstorage 301 to open them to public (step S46).

2.2) Encryption

Next, the encryption process will be described.

FIG. 9 is a flowchart showing the encryption process according to thesecond embodiment. Referring to FIG. 9, the encryptor 400 receives ann-bit plaintext X through the plaintext input unit 101 (step S51). Then,the encryptor 400 receives public information p, q, N, L_(f), L_(g),L_(r), L_(m), k, k₀, k₁, G, H′, H, A, and h from the public informationstorage 301 (step S52).

Subsequently, the private key encryption section 402 randomly selects an-bit string M through the random number generator 401 (step S53). Then,the private key encryption section 402 computes Y=E_(M)(X) to performshared key encryption (step S54). Incidentally, E_(M)(X) is obtained byencrypting the plaintext X according to the shared key cryptosystem Ewith M as a key.

After that, the encryptor 400 randomly selects a k₀-bit string R (stepS55). The OAEP+converter 403 computes the exclusive OR s⁰ of G(R) andeach bit of M as well as s¹=H′(R∥M) such that s=s⁰∥s¹. Further, t is setas the exclusive OR of H(s) and each bit of R to have w=s∥t. Thereby,the OAEP+converter 403 applies the OAEP+adding to the plaintext (stepS56).

According to (m, r)=A(w), the converter 404 converts a bit string w intotwo bit strings m and r using the conversion function A (step S57).Here, w is divided into two parts, and a first half bit string is set asm and a second half bit string is set as r. After that, the NTRUencryption section 405 computes e=phr+m mod q to perform NTRU encryption(step S58). Thus, the NTRU encryption section 405 creates a ciphertexte, and outputs it and a ciphertext Y obtained by the shared keyencryption as a ciphertext (e, Y) through the ciphertext output unit 105(step S59).

2.3) Decryption

Lastly, the decryption process will be described.

FIG. 10 is a flowchart showing decryption process according to thesecond embodiment. Referring to FIG. 10, the decryptor 500 receives aciphertext (e, Y) through the ciphertext input unit 201 (step S61).Then, the decryptor 500 receives a private key corresponding to theciphertext from the private key storage 302, and also receives publicinformation corresponding to the private key from the public informationstorage 301 (step S62).

The NTRU decryption section 501 decrypts the ciphertext e using theprivate key and the public information in the same manner as in NTRU.More specifically, the NTRU decryption section 501 computes fe=pgr+fmmod q. Since f, g, r, and m are elements of the subsets L_(f), L_(g),L_(r), and L_(m), respectively, fe=pgr+fm. Accordingly, the NTRUdecryption section 501 can computes fe(mod p)=m(mod p). Also, since them is an element of the subset L_(m), m=m(mod p), and therefore, the NTRUdecryption section 501 can retrieve m (step S63).

In addition, based on fe=pgr+fm, the random number recovery section 502computes r=(fe−fm)/pg to recover a random number r (step S64).

Based on A⁻¹(m, r), the inverter 503 recovers w=s∥t=s₀∥s₁∥t (step S65).Subsequently, the OAEP+inverter 504 computes the exclusive OR of H(s)and each bit of t to recover R. Also, the OAEP+inverter 504 computes theexclusive OR of G(R) and each bit of s₀ to recover M (step S66).

Thereafter, the OAEP+inverter 504 verifies the validity of the paddingaccording to whether s₁=H′(R∥M) is satisfied or not (step S67). If thepadding is valid, the OAEP+inverter 504 decrypts the shared keyencrypted ciphertext with the shared key encryption key M to output theplaintext X (step S68). Otherwise, the OAEP+inverter 504 rejects theciphertext e as invalid and outputs ⊥ (step S69).

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 (A) is a conceptual block diagram showing an encryptor adopting apadding application method according to the present invention;

FIG. 1 (B) is a conceptual block diagram showing a conventionalencryptor adopting an OAEP-based padding scheme.

FIG. 2 is a block diagram showing an example of a cryptographiccommunication system including an encryptor/decryptor according to thepresent invention.

FIG. 3 is a functional block diagram showing the construction of anencryptor/decryptor according to the first embodiment of the presentinvention.

FIG. 4 is a flowchart showing the key creation process according to thefirst embodiment.

FIG. 5 is a flowchart showing the encryption process according to thefirst embodiment.

FIG. 6 is a flowchart showing the decryption process according to thefirst embodiment.

FIG. 7 is a functional block diagram showing the construction of anencryptor/decryptor according to the second embodiment of the presentinvention.

FIG. 8 is a flowchart showing the key creation process according to thesecond embodiment.

FIG. 9 is a flowchart showing the encryption process according to thesecond embodiment.

FIG. 10 is a flowchart showing the decryption process according to thesecond embodiment.

DESCRIPTION OF CODES

-   -   100 Encryptor    -   101 Plaintext input unit    -   102 OAEP+converter    -   103 Conversion function A-based converter    -   104 NTRU encryption section    -   105 Ciphertext output unit    -   200 Decryptor    -   201 Ciphertext input unit    -   202 NTRU decryption section    -   203 Random number recovery section    -   204 Conversion function A-based inverter    -   205 OAEP+inverter    -   206 Plaintext output unit    -   300 Key generator    -   301 Public information storage    -   302 Private key storage

1. A padding application method for applying a padding scheme thatensures the security of cryptosystems not using random numbers tocryptosystems in which a random number used to create a ciphertext issusceptible to recovery at the receiving end, the method comprising thesteps of: converting input information into a bit string with aprescribed length or less according to the padding scheme; convertingthe bit string into a first bit string and a second bit string based ona prescribed conversion rule; and supplying an encryption function withthe first bit string as data input and the second bit string as randomnumber input; wherein the prescribed conversion rule is a map to map thebit string having a prescribed length or less to the element of thedirect product of the set of the first bit strings and the set of thesecond bit strings, and satisfies the following conditions: the map isinjective; the map and inverse map thereof are computable by apolynomial time; and the encryption function whose domain is the directproduct is a one-way function.
 2. The padding application method claimedin claim 1, wherein the conversion rule is a rule to divide the bitstring into two parts in such a manner as to set the first half of thebit string as the first bit string and the second half of the bit stringas the second bit string.
 3. The padding application method claimed inclaim 1 or 2, wherein the OAEP+padding is employed as the paddingscheme, and the NTRU cryptosystem is employed as the cryptosystem usingrandom numbers.
 4. A padder used in a padding application method forapplying a padding scheme that ensures the security of cryptosystems notusing random numbers to cryptosystems in which a random number used tocreate a ciphertext is susceptible to recovery at the receiving end, thepadder comprising: a conversion means for converting input informationinto a bit string with a prescribed length or less according to thepadding scheme; a bit string conversion means for converting the bitstring into a first bit string and a second bit string based on aprescribed conversion rule; and an encryption means for supplying anencryption function with the first bit string as data input and thesecond bit string as random number input to create a ciphertext; whereinthe prescribed conversion rule is a map to map the bit string having aprescribed length or less to the element of the direct product of theset of the first bit strings and the set of the second bit strings, andsatisfies the following conditions: the map is injective; the map andinverse map thereof are computable by a polynomial time; and theencryption function whose domain is the direct product is a one-wayfunction.
 5. The padder claimed in claim 4, wherein the conversion ruleis a rule to divide the bit string into two parts in such a manner as toset the first half of the bit string as the first bit string and thesecond half of the bit string as the second bit string.
 6. The padderclaimed in claim 4 or 5, wherein the OAEP+padding is employed as thepadding scheme, and the NTRU cryptosystem is employed as thecryptosystem using random numbers.
 7. An encryptor for creating aciphertext by applying a padding scheme that ensures the security ofcryptosystems not using random numbers to a cryptosystem in which arandom number used to create a ciphertext is susceptible to recovery atthe receiving end, the encryptor comprising: a padding conversion meansfor converting an input plaintext into a bit string with a prescribedlength or less according to the padding scheme; a bit string conversionmeans for converting the bit string into a first bit string and a secondbit string based on a prescribed conversion rule; and an encryptionmeans for supplying an encryption function with the first bit string asdata input and the second bit string as random number input to create aciphertext; wherein the prescribed conversion rule is a map to map thebit string having a prescribed length or less to the element of thedirect product of the set of the first bit strings and the set of thesecond bit strings, and satisfies the following conditions: the map isinfective; the map and inverse map thereof are computable by apolynomial time; and the encryption function whose domain is the directproduct is a one-way function.
 8. An encryptor for creating a ciphertextby applying a padding scheme that ensures the security of cryptosystemsnot using random numbers to a cryptosystem in which a random number usedto create a ciphertext is susceptible to recovery at the receiving end,the encryptor comprising: a first encryption means for randomlyselecting a private key encryption key, and performs private keyencryption for an input plaintext using the private key encryption keyto create a first ciphertext; a padding conversion means for convertingthe private key encryption key into a bit string with a prescribedlength or less according to the padding scheme; a bit string conversionmeans for converting the bit string into a first bit string and a secondbit string based on a prescribed conversion rule; a second encryptionmeans for supplying an encryption function with the first bit string asdata input and the second bit string as random number input to create asecond ciphertext; and a ciphertext output means for outputting thefirst ciphertext and the second ciphertext as a ciphertext; wherein theprescribed conversion rule is a map to map the bit string having aprescribed length or less to the element of the direct product of theset of the first bit strings and the set of the second bit strings, andsatisfies the following conditions: the map is injective; the map andinverse map thereof are computable by a polynomial time; and theencryption function whose domain is the direct product is a one-wayfunction.
 9. The encryptor claimed in claim 7 or 8, wherein theconversion rule is a rule to divide the bit string into two parts insuch a manner as to set the first half of the bit string as the firstbit string and the second half of the bit string as the second bitstring.
 10. The encryptor claimed in claim 7 or 8, wherein theOAEP+padding is employed as the padding scheme, and the NTRUcryptosystem is employed as the cryptosystem using random numbers. 11.An encryption method for creating a ciphertext by applying a paddingscheme that ensures the security of cryptosystems not using randomnumbers to a cryptosystem in which a random number used to create aciphertext is susceptible to recovery at the receiving end, the methodcomprising the steps of: converting an input plaintext into a bit stringwith a prescribed length or less according to the padding scheme;converting the bit string into a first bit string and a second bitstring based on a prescribed conversion rule; and supplying anencryption function with the first bit string as data input and thesecond bit string as random number input to create a ciphertext; whereinthe prescribed conversion rule is a map to map the bit string having aprescribed length or less to the element of the direct product of theset of the first bit strings and the set of the second bit strings, andsatisfies the following conditions: the map is infective; the map andinverse map thereof are computable by a polynomial time; and theencryption function whose domain is the direct product is a one-wayfunction.
 12. An encryption method for creating a ciphertext by applyinga padding scheme that ensures the security of cryptosystems not usingrandom numbers to a cryptosystem in which a random number used to createa ciphertext is susceptible to recovery at the receiving end, the methodcomprising the steps of: randomly selecting a private key encryptionkey; performing private key encryption for an input plaintext using theprivate key encryption key to create a first ciphertext; converting theprivate key encryption key into a bit string with a prescribed length orless according to the padding scheme; converting the bit string into afirst bit string and a second bit string based on a prescribedconversion rule; supplying an encryption function with the first bitstring as data input and the second bit string as random number input tocreate a second ciphertext; and outputting the first ciphertext and thesecond ciphertext as a ciphertext; wherein the prescribed conversionrule is a map to map the bit string having a prescribed length or lessto the element of the direct product of the set of the first bit stringsand the set of the second bit strings, and satisfies the followingconditions: the map is injective; the map and inverse map thereof arecomputable by a polynomial time; and the encryption function whosedomain is the direct product is a one-way function.
 13. The encryptionmethod claimed in claim 11 or 12, wherein the conversion rule is a ruleto divide the bit string into two parts in such a manner as to set thefirst half of the bit string as the first bit string and the second halfof the bit string as the second bit string.
 14. The encryption methodclaimed in claim 11 or 12, wherein the OAEP+padding is employed as thepadding scheme, and the NTRU cryptosystem is employed as thecryptosystem using random numbers.
 15. A decryptor for decrypting aciphertext created by the encryptor claimed in claim 7, comprising: afirst decryption means for decrypting an input ciphertext to generate afirst bit string according to a decryption scheme corresponding to thecryptosystem using random numbers; a random number recovery means forrecovering a random number used for encryption as a second bit string; abit string inversion means for inverting the first bit string and thesecond bit string to a bit string with a prescribed length or less basedon the inverse of the conversion rule; a padding inversion means forremoving padding according to the padding scheme from the bit stringwith a prescribed length or less to retrieve the original plaintext; anda determination means for verifying the validity of the padding, and ifthe padding is valid, outputting the plaintext.
 16. A decryptor fordecrypting a ciphertext created by the encryptor claimed in claim 8,comprising: a first decryption means for decrypting the secondciphertext to generate a first bit string according to a decryptionscheme corresponding to the cryptosystem using random numbers; a randomnumber recovery means for recovering a random number used for encryptionas a second bit string; a bit string inversion means for inverting thefirst bit string and the second bit string to a bit string with aprescribed length or less based on the inverse of the conversion rule; apadding inversion means for removing padding according to the paddingscheme from the bit string with a prescribed length or less to retrievethe original private key encryption key; and a second decryption meansfor verifying the validity of the padding, and if the padding is valid,decrypting the first ciphertext using the private key encryption key.17. A decryption method for decrypting a ciphertext created according tothe encryption method claimed in claim 11, comprising the steps of:decrypting an input ciphertext to generate a first bit string accordingto a decryption scheme corresponding to the cryptosystem using randomnumbers; recovering a random number used for encryption as a second bitstring; inverting the first bit string and the second bit string to abit string with a prescribed length or less based on the inverse of theconversion rule; removing padding according to the padding scheme fromthe bit string with a prescribed length or less to retrieve the originalplaintext; and verifying the validity of the padding, and if the paddingis valid, outputting the plaintext.
 18. A decryption method fordecrypting a ciphertext created according to the encryption methodclaimed in claim 12, comprising the steps of: decrypting the secondciphertext to generate a first bit string according to a decryptionscheme corresponding to the cryptosystem using random numbers;recovering a random number used for encryption as a second bit string;inverting the first bit string and the second bit string to a bit stringwith a prescribed length or less based on the inverse of the conversionrule; removing padding according to the padding scheme from the bitstring with a prescribed length or less to retrieve the original privatekey encryption key; and verifying the validity of the padding, and ifthe padding is valid, decrypting the first ciphertext using the privatekey encryption key.
 19. A cryptographic communication system comprisingcommunication terminals that perform cryptographic communication througha communication network using a padding scheme that ensures the securityof cryptosystems not using random numbers with a cryptosystem in which arandom number used to create a ciphertext is susceptible to recovery atthe receiving end, wherein: a sending communication terminal includes: apadding conversion means for converting an input plaintext into a bitstring with a prescribed length or less according to the padding scheme;a bit string conversion means for converting the bit string into a firstbit string and a second bit string based on a prescribed conversionrule, the conversion rule being a map to map the bit string having aprescribed length or less to the element of the direct product of theset of the first bit strings and the set of the second bit strings andsatisfying the following conditions: the map is injective; the map andinverse map thereof are computable by a polynomial time; and theencryption function whose domain is the direct product is a one-wayfunction; an encryption means for supplying an encryption function withthe first bit string as data input and the second bit string as randomnumber input to create a ciphertext; and a transmission means fortransmitting the ciphertext to a receiving terminal; and the receivingcommunication terminal includes: a reception means for receiving theciphertext from the sending communication terminal; a first decryptionmeans for decrypting the received ciphertext to generate a first bitstring according to a decryption scheme corresponding to thecryptosystem using random numbers; a random number recovery means forrecovering a random number used for the encryption as a second bitstring; a bit string inversion means for inverting the first bit stringand the second bit string to a bit string with a prescribed length orless based on the inverse of the conversion rule; a padding inversionmeans for removing padding according to the padding scheme from the bitstring with a prescribed length or less to retrieve the originalplaintext; and a determination means for verifying the validity of thepadding, and if the padding is valid, outputting the plaintext.
 20. Acryptographic communication system comprising communication terminalsthat perform cryptographic communication through a communication networkusing a padding scheme that ensures the security of cryptosystems notusing random numbers with a cryptosystem in which a random number usedto create a ciphertext is susceptible to recovery at the receiving end,wherein: a sending communication terminal includes: a first encryptionmeans for randomly selecting a private key encryption key, and performsprivate key encryption for an input plaintext using the private keyencryption key to create a first ciphertext; a padding conversion meansfor converting the private key encryption key into a bit string with aprescribed length or less according to the padding scheme; a bit stringconversion means for converting the bit string into a first bit stringand a second bit string based on a prescribed conversion rule, theconversion rule being a map to map the bit string having a prescribedlength or less to the element of the direct product of the set of thefirst bit strings and the set of the second bit strings and satisfyingthe following conditions: the map is injective; the map and inverse mapthereof are computable by a polynomial time; and the encryption functionwhose domain is the direct product is a one-way function; a secondencryption means for supplying an encryption function with the first bitstring as data input and the second bit string as random number input tocreate a second ciphertext; and a ciphertext output means for outputtingthe first ciphertext and the second ciphertext as a ciphertext; and areceiving communication terminal includes: a reception means forreceiving the ciphertext from the sending communication terminal; afirst decryption means for decrypting the second ciphertext to generatea first bit string according to a decryption scheme corresponding to thecryptosystem using random numbers; a random number recovery means forrecovering a random number used for the encryption as a second bitstring; a bit string inversion means for inverting the first bit stringand the second bit string to a bit string with a prescribed length orless based on the inverse of the conversion rule; a padding inversionmeans for removing padding according to the padding scheme from the bitstring with a prescribed length or less to retrieve the original privatekey encryption key; and a second decryption means for verifying thevalidity of the padding, and if the padding is valid, decrypting thefirst ciphertext using the private key encryption key.